United Firefighters' Union of Australia v Fire Rescue Victoria

Fair Work Act 2009

s.739 - Application to deal with a dispute

United Firefighters' Union of Australia
v

Fire Rescue Victoria

(C2023/6925, C2023/6928 & C2023/6929)

Alleged dispute about any matters arising under the enterprise agreement and the NES;[s186(6)].

1. This decision addresses three applications in separate enterprise agreements by the United Firefighters’ Union of Australia (UFU), seeking determination of an allowance for employees using their personal mobile phones in order to authenticate their identity for access to the IT network of Fire Rescue Victoria (FRV).

1. The applications follow a major cyber-attack on FRV in December 2022, after which FRV responded by introducing more robust user authentication methodologies for the access and use of its IT network.

1. The three enterprise agreements involved in this matter are;

1. Fire Rescue Victoria Operational Employees Interim Enterprise Agreement 2020 (Operational Agreement);

1. Fire Rescue Victoria Former CFA Professional, Technical and Administrative Agreement 2016 (PTA Agreement); and

2. Fire Rescue Victoria (Former MFB) Corporate & Technical Employees Agreement 2017 (CTE Agreement)

1. The applications to the Commission in respect of each of these agreements allege, pursuant to s.739 of the Fair Work Act 2009 (FW Act), a dispute, arising under each enterprise agreement, with the attendant request that the disputes be resolved by the Fair Work Commission.

1. The applications were the subject of conciliation before me on 21 December 2023 and 16 May 2024, and a hearing convened on 20 and 22 May 2024, at which Mr Jim McKenna of Council appeared for the UFU and Mr Marc Felman KC appeared for the FRV.

2. At the hearing, witness evidence on behalf of the UFU was taken from Ms Maria Abrahams, Mr David Hamilton, Mr Danny Ward, Ms Belinda Ganal and Mr James Kerwin. A witness statement on behalf of the UFU was also received from Ms Georgia Barendse.

1. Mr Dallas Reilly and Mr Christopher Moon, respectively FRV’s former and current Chief Information Officers, gave evidence on behalf of FRV.

CONTEXT OF THE DISPUTE

December 2022 cyber-attack(a)       

1. FRV was formed on 1 July 2020, with employees, systems and assets being drawn from the former Metropolitan Fire Brigade and Country Fire Authority.

1. The three enterprise agreements listed at paragraph [3] cover the bulk of FRV’s employees. At the time of the hearing, FRV employed approximately 4,500 staff. Approximately 3,800 of those are operational firefighters covered by the Operational Agreement and approximately 700 employees are covered by either the PTA or the CTE Agreement. FRV has 85 fire and rescue stations across the state; with 47 within metropolitan Melbourne, and 38 in regional areas.[1]

1. On 15 December 2022, FRV was subjected to a large-scale and debilitating cyber-attack.  FRV’s current Chief Information Officer, Christopher Moon, who started with FRV in November 2022, the month before the cyber-attack, reports the immediate and lasting impacts of the attack;

“41. As a result of this incident, FRV lost access to virtually all internal ICT systems, this included, critical operational systems such as the system to notify FRV stations to deploy to incidents, as well as other supporting systems such as email, telephones, Internet access.

42. Several systems such as Office 365 (which provides email, document storage, etc.) were hosted outside of the FRV network and unimpacted by the cyber-attack. The cyber-attack was extremely disruptive and due to many systems being unavailable usual processes and work practices could not be followed. FRV and the UFU worked together to develop a list of workarounds to ensure that operations and critical functions were able to continue in the absence of supporting IT systems.

43. Critically, FRV disconnected its network from the other networks (such as the Internet and other Emergency Service Organisations) to prevent further issues, such as an attack on Triple Zero Victoria or the exfiltration (theft) of FRV data by the attackers.

44. Due to the entire FRV environment being unavailable and network being disconnected FRV fire stations had no connectivity whatsoever to the outside world, except by the radio network. This meant in the initial days of the cyber-attack, documents such as timesheets were being written on paper and distributed around Victoria by a team of drivers.

45. To improve this situation FRV arranged to borrow 150 laptops from the FRV Training Academy, these were configured to access the FRV Office 365 environment, however as the FRV network was unavailable these devices were considered ‘remote’ and required MFA to access Office 365. Therefore, staff at fire stations were required to register for MFA before they could access Office 365 and hence email.

46. The core FRV network has not yet been restored. A temporary internet only network has been established, similar to how internet access works at a hotel or airport, however it does not connect directly to FRV systems.

47. Most laptops and desktops have now been updated to utilise this network, whilst work continues to restore the original FRV network with enhanced security. However, this means all these laptops and desktops are treated as ‘remote’ and require the use of MFA. This has meant that a significant number of staff who had not previously needed to use MFA, as they didn’t work ‘remotely’ were now required to register and use MFA.

…

52. The core FRV network has not yet been restored. This had the practical consequence that the FRV ICT systems now effectively operate as though all persons are externally accessing those systems as though they are outside the FRV network and therefore need to use MFA, i.e. everyone who accesses FRV ICT systems is treated as though they are a remote user, regardless of whether they are, in fact, physically working remotely or on FRV premises.”[2]

1. An internal incident report elaborates on the magnitude of the attack and the disruption it caused;

“The impact of the cyber-attack on FRV was far-reaching. Our business operations were disrupted as many of our systems became inaccessible, including our internal servers, email and telephony systems.

The disruption caused communication challenges that ultimately impacted business critical processes, affecting day-to-day administration and forcing operations to activate business continuity plans. Despite this, we continued providing critical fire and rescue services to the community using mobile phones, pagers and radio communication, turning out crews and fire trucks to protect life and property.

Payment of some employee entitlements was delayed in the months that followed the cyber-attack due to the need to implement more manual payment practices. As of 30 June 2023, all wages and entitlements that were delayed due to the cyber-attack had been paid in full. FRV is particularly grateful to employees for their patience in the months following the December 2022 attack.”[3]

1. Returning systems to normal functions took months, with some functionality still not returned.[4] FRV responded to the attack by establishing an Incident Management Team as well as an ICS Recovery Working Party, established under the Operational Consultative Committee. To their great credit, employees and the UFU actively assisted with building and running workarounds to the debilitated systems while functionality was restored.

Introduction of Multifactor Authentication (MFA)(b)       

(i)     Before cyber-attack

1. Beyond functionality restoration, steps were taken by FRV in 2023 to further secure its systems. One of these steps was to make multifactor authentication (MFA) a requirement for all systems access. Before December 2022, MFA had been required only for remote access to FRV’s systems – that is, from a computer or other device that was not connected directly to FRV’s network, but which sought temporary connection.

1. In December 2021, a year prior to the cyber-attack, FRV initially described the deployment of multifactor authentication to its employees in this way;

“1. Why is FRV implementing Multi-Factor Authentication (MFA)?

The primary drivers for implementing Multi-Factor Authentication are to protect FRV user account credentials from being accessed from outside of the FRV network by unauthorised users, and to protect FRV Information Communication Technology (ICT) systems from malicious attack. MFA also complies with data protection policy covering all Victorian government agencies.

2. How do I register for MFA?

MFA is a one-time registration process for each user who needs to access FRV Exchange Online or Outlook web access from outside FRV’s network or from their personal device. The user will be asked to select the preferred MFA option such as using Microsoft Authenticator Application or text message (SMS) based authentication. If the user selects the text message-based authentication the user will need to provide the preferred phone number to receive the one-time password (6 digits). The next time the user connects from their personal device they will be prompted to provide the 6 digits one-time password received via text message. The user must key the digits of the one-time password into the field and then access is granted.

3. How will MFA improve my cyber security?

MFA will prompt users with a One Time Password (OTP) received via a pre-registered mobile phone whenever a user is accessing FRV ICT systems outside of the FRV network. This will prevent malicious actors gaining access to a user’s email, their personal records and other FRV ICT data and information. This is the recommended and secure method of accessing the ICT systems. This will protect user credentials even if the user has unknowingly shared their password via phishing email, because the attacker does not have the mobile device that receives the one-time code via SMS notification.

4. What if I don’t have an FRV mobile phone?

You can register MFA for your personal mobile device or FRV provided mobile device. If you do not have an FRV issued mobile phone, and do NOT want to use personal phone to register and receive SMS code for authentication, please raise this with your line manager, seek their endorsement, and inform the IT service desk ([email address omitted]) to identify and set up an alternative.”[5] (underlining added)

Consultation and 2023 MFA deployment

1. The UFU contest whether there has been consultation to the standard required by the applicable enterprise agreements and that many, if not most employees, are now (post December 2022) required to use their personal devices for the purposes of authentication.

1. In its submissions, the UFU says that as systems were brought back online after the December 2022 cyber-attack, employees were required to use MFA for access to all FRV systems. This was the case whether the user sought access locally, while connected to an FRV server, such as from their fire station, or remotely.[6] MFA could be provided;

“a. By the Microsoft Authenticator app. This involves downloading the Microsoft Authenticator app onto a mobile phone. Then, when accessing FRV systems, a user will enter their FRV username and password, then unlock their a mobile phone device and open the Microsoft Authenticator app and enter into the app a code provided from the computer or device being used to access the FRV system. The Microsoft Authenticator app will then “re-sync” with the computer or device being used to assess FRV systems. The time taken for this to occur may vary depending on the quality of the internet connection and the time taken for the Microsoft Authenticator app to “re-sync” with the computer or device being used;

b. By SMS. This involves the user accessing FRV systems to enter their FRV username and password and select an option to receive an SMS message to a pre-programmed number. The user then unlocks their mobile phone device, retrieves a code from their message app and manually types this into the computer or device being used to access FRV systems.”

1. Further, the UFU submitted;

“21.MFA was required to be used by employees at least once each working day and subsequently throughout the day when users are “logged out”.

22.It is also possible to provide MFA by receiving the MFA code by telephone call to a pre-programmed number. Selecting a landline to receive MFA presents significant practical difficulties where a phone number can only be registered to a single employee (such that a station based landline could only be used by a single employee) and where access to FRV systems may be required from a variety of locations.” [7] 

1. With respect to the need to re-authenticate on multiple occasions each day, Ms Ganal, an FRV Project Manager, Operational Communications, gave evidence that this was the case, as well as the frustrations which then arose. She might be logged out part way through drafting an email and then be required to log back in using MFA. The process of authentication requires opening her personal mobile phone and receiving a prompt from the authenticator app, which then endeavours to sync with the phone and laptop. The process generally takes a few minutes each time and if the internet connection is poor, it may take too long to authenticate and the process may time out, failing to authenticate altogether.[8]

(ii)     2023 Arrangements

1. Because of the severity of the cyber-attack, FRV found it necessary to set up numerous workarounds which enabled the organisation’s operations to continue. In his evidence, Mr Hamilton, an FRV Commander and UFU Branch President, reports that an ICS Cyber Recovery Working Party was established under the operational consultative committee to develop a list of workarounds to assist with recovery from the cyber-attack. His evidence is that “[s]ome of those “work arounds” amount to new work practices but were developed in good faith to address the impact of the cyber-attack”.[9] His evidence is also that the use of MFA, at least in the 2023 context, was never discussed by either the operational consultative committee or the working party. Mr Hamilton’s evidence about the lack of discussion about the broad use of MFA is not contested by FRV’s CIO, Mr Moon, who notes that the ICS Cyber Recovery Working Party was not formed until November 2023, after the MFA issue had been raised by the UFU. [10] Mr Moon also submits that;

“Additionally, from my perspective as CIO, the FRV Consultative Committees did previously endorse the use of MFA for when a user is accessing the FRV ICT systems from outside the FRV network, and that is the practical reality of what has arisen since the cyber-attack … In contrast to some of the action items that were agreed by the Working Party, I did not (and still do not) consider that the use of MFA involved a change to FRV systems as the requirement to use MFA when accessing remotely was previously agreed to.”[11]

1. This evidence of Mr Moon is cross-referenced to other comments made by him regarding the “practical reality” of the reconfigured post cyber-attack network, set out above as paragraphs 45 – 47 in his report about the impact of the attack. In particular, Mr Moon notes that 150 laptops had to be borrowed from the FRV training Academy, with those devices considered to be remote and requiring MFA in order to access office 365.  Fire station personnel were then required to register for MFA before they could access these laptops; as the core FRV network had not yet been restored. The system worked as a temporary, internet only network, akin to a hotel or airport network.

1. On 11 August 2023, the UFU notified the FRV of a dispute arising under the Operational Agreement “regarding the requirement for employees to use personal mobile phones to provide MFA”.[12] A similar dispute was notified on the same date under the CTE and PTA Agreements.[13]

1. On 15 August 2023, Mr Moon, by then the CIO, sent employees an email which “clarified FRV’s MFA policy”.[14] This appears to have been the first occasion on which FRV stated categorically to employees that access to its systems, whether externally or internally, required frequent authentication. In the communication, Mr Moon states;

“Multi-Factor Authentication (MFA)

Dear colleagues,

I am writing to clarify FRV’s policy on using Multi-Factor Authentication (MFA) to gain access to our IT systems and network, following recent queries about the use of personal devices.

What is Multi-Factor Authentication (MFA)?

MFA is one of the most effective ways we protect valuable FRV information against unauthorised access to our systems.

It is a multi-step account login process that requires FRV employees to enter more information than just a password.

Do I have to use MFA to access FRV content?

Yes. It is FRV policy to use MFA as a layer of security to access FRV content and systems such as the Intranet, FRV email and Microsoft Teams.

How do I use MFA?

The easiest way to use MFA is via a mobile phone.

If you do not have an FRV phone or do not want to use your personal phone, there are alternative options available to you:

·     If you are an operational employee, you can request a token which will generate a security code  to authenticate access to FRV content via an FRV device.

To request a token, please fill in and submit this form.

Please note, if you opt for a token for MFA, you must always carry this token when you are working or anticipate being on recall, as you will be unable to access FRV systems without it. Once your token is setup, you will not be able to use mobile phone-based MFA.

·     If you are a corporate employee, you can request a token but please note operational staff will be given priority access. 

Due to the limited number of tokens and time it will take to procure and distribute them, you will need to register an FRV landline number to use MFA. This means you will be required to be in the office to receive the MFA code via a landline.

To register an FRV landline for MFA, please refer to the steps in this link

Please note, if you opt for a token for MFA, you must always carry this token when you are working or anticipate working, as you will be unable to access FRV systems without it. Once your token is setup, you will not be able to use mobile phone-based MFA.”[15]

1. A problem arose in October 2023 when Microsoft sent prompts to registered FRV users of Microsoft Authenticator, to download and install the Microsoft Authenticator app, which affected staff who used an SMS to log into FRV ICT systems. The change, initiated by Microsoft, was not authorised by FRV and subsequently disabled.[16]

1. In addition to permitting authentication by means of an app, text message or telephone, FRV also makes provision for authentication by means of a token, which is a small personal device issued to employees which generates a six-digit code. Whether sufficient tokens are available to employees or whether employees prefer to use their personal devices instead of a token is contentious.

1. The number of available tokens has risen steadily since August 2023;

·     At the time of Mr Moon’s August 2023 email, FRV had 16 tokens on hand with a further 500 on backorder.[17]

·     By March 2024, FRV had approximately 5000 physical tokens, of which approximately 3650 had been distributed to staff. A further 1000 had been allocated but not distributed.

·     By May 2024, FRV had 5020 tokens, of which 4637 had been allocated with about 98% of those having been distributed to the usual work location of employees.

1. At the time of the hearing of the matters before me, about 1500 FRV employees were provided with FRV issued mobile phones.[18]

AGREEMENT PROVISIONS – DISPUTE RESOLUTION PROCEDURES AND CONSULTATION REQUIREMENTS

1. Each Agreement includes a Dispute Resolution Procedure, as follows;

1. Operational Agreement – Clause 21 of Division A and Clause 26 of Division B, both of which are sufficiently wide to allow this matter to be the subject of a dispute arising under the clauses (albeit that the disputes still need to be within jurisdiction in order to be valid raised).  Amongst other subjects the clauses encompass all matters arising under the respective Divisions; “all matters relating to the application of, or for which express provision is made” in the Division; and “all matters pertaining to the employment relationship, whether or not express provision for any such matter is made” in the Division”;

1. PTA Agreement – Clause 12, which allows for disputes to be raised about “a dispute / grievance about all matters pertaining to the employment relationship, or the National Employment Standards (NES)”;

2. CTE Agreement – Clause 16, which allows for disputes to be raised about “any dispute about a matter arising under this Agreement or a dispute about any matter for which express provision is made in this agreement, or a dispute about any matter pertaining to the employment relationship in respect of those to whom the Agreement applies, or a dispute in relation to the National Employment Standards”.  The clause excludes disputes about matters arising under Schedule 5 of the Agreement, which has no application here since the schedule deals with classification matters.

1. Question 5 of the Applicant’s Questions for Determination, set out below, refers to the consultation provisions which apply under the three agreements that are the subject of this decision;

1. Clause 16 17, 20 and 76 of Division A of the Operational Agreement (applicable to former MFB operational employees and those employed since the formation of the FRV);

1. Clause 21, 22, 25 and 83 of Division B of the Operational Agreement (applicable to former CFA operational employees);

2. Clause 11 and 12 of the PTA Agreement; and/or

3. Clause 11 of the CTE Agreement.

1. The provisions are lengthy and it is unnecessary to set them out here in full.

Operational Agreement

1. Clause 16.1 defines consultation to mean;

“the full, meaningful and frank discussion of issues/proposals and the consideration of each party’s views, prior to any decision. Committees established for the purpose of implementing this Division or appointed under this clause constitute part of the consultative process”.

1. Clause 16.4 provides for the functions of the Operational Consultative Committee;

“The functions of the Consultative Committee are to provide the forum for Consultation under this Clause and in particular to:

16.4.1. Consult on matters pertaining to the employment relationship of employees to whom this Division applies;

16.4.2. Consult where provisions in this Division require consultation;

16.4.3. Monitor the implementation and operation of this Division;

16.4.4. Consider and make recommendations and decisions regarding matters required to be the subject of consultation under this Division;

16.4.5. Provide a mechanism for employee input into the implementation and operation of this Division thereby utilizing employee knowledge and experience and improving communication and co-operation between the employer and the employees;

16.4.6. Without in any way limiting the other terms of this Clause, consult on the matters referred to in Section 205(1)(a)(i) and Section 205(1)(a)(ii) of the Fair Work Act 2009 in the manner required by s205(1) and (1A) of that Act; and

16.4.7. Consult on proposals involving change affecting the application or operation of this Division, employees’ terms and conditions of employment or the employment relationship of employees covered by this Division.”

1. Clause 16.5 provides, in relation to the functioning of the Operational Consultative Committee that;

“The Committee will operate on the basis of consensus and consensus shall be required prior to the implementation of any matter or change about which consultation is required under sub-clause 16.4”

CTE Agreement and PTA Agreement

1. The CTE Agreement provides, in Clause 11, that consultation relates to the consideration of each party’s views, prior to implementation;

“In accordance with clause 12 (Introduction of Change) of this agreement consultation means the full, meaningful and frank discussion of issues/proposals and the consideration of each party's views, prior to the implementation of a decision by FRV.”

1. Clause 12 of the same agreement provides that consultation through the provisions of Clause 11 will apply in various circumstances, including “the introduction of new technology or changes to existing work practices of employees”, where the change “is likely to have a significant effect on employees”.

1. Clause 11 of the PTA Agreement provides for consultation on the introduction of major change, likely to have a significant effect on employees. A major change is likely to have a significant effect on employees if it results in;

“11.1.9.1 the termination of the employment of employees; or

11.1.9.2 major change to the composition, operation or size of FRV’s workforce or to the skills required of Employees; or

11.1.9.3 the elimination or diminution of job opportunities (including opportunities for promotion or tenure); or

11.1.9.4 the alteration of hours of work; or

11.1.9.5 the need to retrain Employees; or

11.1.9.6 the need to relocate Employees to another workplace; or

11.1.9.7 the restructuring of jobs.”

QUESTIONS FOR DETERMINATION

1. The UFU submits that the questions to be determined by the Commission are the following;[19]

“Question 1:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria Operational Employees Interim Enterprise Agreement 2020 (Operational Agreement) applies, where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Question 2:

In the alternative to question 1, whether FRV should pay an allowance to employees to whom the Operational Agreement applies where such employees are or were required to use their own personal mobile phone device in the course of their employment in accordance with:

a.        Clause 85.3 to Division A to the Operational Agreement; and

b.        Clause 92.3 to Division B to the Operational Agreement.

Question 3:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria (Former MFB) Corporate and Technical Employees Agreement 2017 (Former MFB Corporate Agreement) applies where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Question 4:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria Former CFA Professional, Technical and Administrative Employees Agreement 2016 (Former CFA Corporate Agreement) applies where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Question 5:

Whether FRV has failed to consult with employees regarding the requirement to use personal mobile phone devices in the course of their employment as required by:

a.        clause 16 17, 20 and 76 of Division A of the Operational Agreement;
b.        clause 21, 22, 25 and 83 of Division B of the Operational Agreement;
c.        clause 11 and 12 of the Former MFB Corporate Agreement; and/or
d.        clause 11 of the Former CFA Corporate Agreement.

Question 6:

If the answer to any part of question 5 is yes, whether as a result, the employees affected by the failure to consult have suffered any imposition, detriment or disadvantage and should receive and (sic) compensatory payment in consequence thereof.”

1. Noting that FRV objects to the Commission’s capacity to determine all of the questions, the UFU argues the above questions are within jurisdiction and should be answered in the following manner;

(i)     Operational Employees

·     Question 1 should be answered in the affirmative with an appropriate quantum for the proposed new allowance for employees working under the Operational Agreement being $45 per month.[20]

·     Question 2, posed as an alternative to question 1, if it is necessary to answer, should be answered with the same ultimate conclusion as set out for Question 1;[21]

(ii)     Former MFB Corporate Agreement

·     Question 3 should be found to be within jurisdiction with an allowance of $45 per month to be paid to all corporate employees for any month since January 2023 in which that employee was not issued an FRV mobile phone or token.[22]

(iii)     Former CFA Corporate agreement

·     Question 4 should be answered in the same manner as for Question 3.[23]

(iv)     All Three Agreements

·     Question 5 should be answered generally in the affirmative;

o   in respect of operational employees on the basis that there had not been consultation or consensus prior to MFA being implemented;[24]

o   in respect of former MFB corporate agreement and on the basis that there was a requirement to consult in an endeavour to achieve consensus but that the FRV did not do so;[25]

o   in respect of former CFA corporate agreement employees on the basis that there was an obligation to consult but that the FRV did not do so.[26]

·     Question 6, activated as a consideration in the event that any part of question 5 is answered in the affirmative, should be answered;

o   for operational employees on the basis that the UFU was deprived of an opportunity to consult being an “imposition, detriment or disadvantage” with the settlement of the dispute being to grant the allowance sought by the UFU;

o   the corporate employees working under either the former corporate MFB corporate agreement or the former CFA corporate agreement a finding that employees lost the opportunity to be consulted about the MFA proposal and to provide UFU input with the dispute being settled on the basis of granting the allowance sought by the UFU.[27]

1. FRV argues that the UFU’s claims that sit behind consideration of Questions 1 and 2 exceed the Commission’s jurisdiction to determine or enforce a claim for a monetary payment, making references to the limitations of the Commission on the exercise of judicial power.[28] It also argues in respect of Questions 3 and 4 that, to the extent that each is a claim for the payment of a new allowance, each is precluded by reason of the “no extra claims” clauses in each of the underlying agreements.[29]

QUESTIONS 1 AND 2 – JURISDICTION AND NEW CLAIM

1. After noting the decision in the National Wage Case – October 1991,[30] which permitted the creation of new allowances to compensate for the reimbursement of expenses incurred, the UFU also takes account of s.139(g) of the FW Act, which permits the creation of allowances for expenses incurred in the course of employment; for responsibilities or skills that are not taken into account in rates of pay; and for disabilities associated with the performance of particular tasks or work in particular conditions or locations.[31] At the heart of its case, the UFU argues;

“The requirement imposed by FRV upon employees to use their own personal mobile phone devices to provide MFA:

a. Involves an expense incurred in the course of employment;

b. Amounts to an additional responsibility not taken into account in rates of pay;
and

c. Imposes a disability associated with the performance of particular tasks.”[32]

1. The UFU puts forward the establishment of the allowances is on the basis that the Operational Agreement contemplates new allowances, as well as that;

“35. The use of personal mobile phones by operational employees to provide MFA is a new work practice for which there is presently no allowance, and which has not been reflected in the work value compensated by the specified wages under the FRV Operational Agreement. It has been introduced without proper approval of the Operational CC.”

and

“38. The requirement imposed by FRV upon employees to use their own personal mobile phone devices to provide MFA:

a. Involves an expense incurred in the course of employment;

b. Amounts to an additional responsibility not taken into account in rates of pay; and

c. Imposes a disability associated with the performance of particular tasks.”[33]

1. The Union also submits, and I accept as a matter of general community experience, that employees maintaining a personal mobile phone will incur costs for the connection, calls, data and in some cases, insurance for the device. The UFU acknowledges that identification and quantification of such costs is difficult, with different costs being experienced by different employees.[34]

1. Connected with the question of work value and additional responsibilities, the UFU draws upon the statement made by FRV to the consultative committees in October 2021, to the effect that “the implementation of Multi Factor Authentication (MFA) will significantly reduce the risk of FRV systems being compromised by external malicious parties”.[35] Following this, the UFU argues certain matters of additional responsibility and additional value are clear;

“42. Additional responsibility is clearly imposed on employees to effectuate the FRV’s security systems. That is done by having and using their own mobile phones and learning and applying the MFA systems established by FRV.

43. Further, operational employees who do not have FRV issued mobile phones have delivered that additional value to FRV by using their own private resources. That is done at FRV’s direction. The obligation to use a personal mobile phone to access FRV systems increases the value of the work performed by the employee and the  corresponding amount that the employees should be paid for doing the work.”[36]

1. The UFU invites the Commission to take judicial notice of the “considerable value” of mobile phones, as well as the finance and data plans surrounding the devices, a proposition which again I accept. In this regard it submits the cheapest Telstra and Optus plans are between $50 and $70 per month, with Ms Barendse’s witness statements going to these matter;

“This presents a tangible responsibility for an operational employee to have, maintain and use such a device for the benefit of FRV. That is a responsibility increases the amount that operational employees should be paid.”[37]

1. The union also argues that requiring FRV staff to use their personal mobile device for MFA may disadvantage these staff, with Ms Abrahams putting forward the following in relation to the subject.

“I would prefer not to use my personal mobile phone for work purposes. I would like to be able to separate my work and personal life. The effect of the FRV cyber-incident was very worrying. I am still concerned that this might happen again and I do not want the risk of my own personal phone being impacted by any of that. I store banking apps and personal emails on my phone, and do not want these getting hacked.”[38]

1. FRV argues that, in respect of Questions 1 and 2, there are jurisdictional impediments to granting the relief sought by the UFU. FRV submits these arise as the questions have both retrospective as well as prospective operation.[39] FRV further argues there is no power for the Commission to determine or enforce a claim for payment under the operations agreement (to which Questions 1 and 2 pertain).[40] It also argues the UFU’s claims are misconceived, advanced “effectively at large in the course of the employment relationship”, when they should instead be determined through specific clauses of the Operational Agreement.[41]

1. Further, FRV argues that, while reliance upon principes within the National Wage Case – October 1991 or s.139(g) of the FW Act may have some assistance, each should be treated with caution. Most cogently, s.139 deals with “allowable award matters that may be included in modern awards (not setting out the circumstances in which those allowances would be included or the quantum of those allowances – noting that this is a matter of submissions by various parties with an interest in the content of the modern award)”.[42]

1. Concisely stated, the Commission’s powers are limited;

“Whether the Commission purports to exercise judicial power will depend upon the facts of the case and in particular upon whether the decision which is sought to be impugned is in truth an attempt to ascertain, declare or enforce existing rights [Waterside Workers Federation of Australia v JW Alexander Ltd (1918) 25 CLR 434 at 463] or only a step in the proper exercise of the powers conferred upon the Commission by the Parliament”[43]

1. Determination of factual matters, in order to ascertain future rights and obligations, was the subject of consideration by the High Court in Re Ranger Uranium;

“The power of inquiry and determination is a power which properly takes its legal character from the purpose for which it is undertaken. Thus inquiry into and determination of matters in issue is a judicial function if its object is the ascertainment of legal rights and obligations. But if its object is to ascertain what rights and obligations should exist, it is properly characterised as an arbitral function when performed by a body charged with the resolution of disputes by arbitration.

Inquiry into and determination of facts for the purpose of ascertaining what rights and obligations should be brought into existence in settlement of an industrial dispute does not cease to be an exercise of arbitral power merely because, in the course thereof, the Commission may form an opinion as to the existing legal rights and obligations of the parties. As was pointed out in Re Cram; Ex pare Newcastle Wallsend Coal Co Pry Ltd (ALJR at 409; ALR at 176) the formation of an opinion as to legal rights and obligations does not involve the exercise of judicial power, at least if it is "a step in arriving at the ultimate conclusions on which (is based) the making of an award intended to regulate the future rights of the parties". For, as was there made clear, "the formation of such an opinion does not bind the parties and cannot operate as a binding declaration of rights".”[44]

1. The Operational Agreement provides for the Commission to determine claims relating to additional allowances, new allowances or increases to existing allowances. This provision is not replicated in either the CTE or PTA agreements. The relevant provision from Division A of the Operational Agreement is the following (noting that a similar provision applies to Division B of the Agreement at clause 92.3);

“85.3. In accordance with existing practice the parties agree that any claim for additional allowance, new allowance, or increase to an existing allowances, will be referred to the FWC for determination if the parties are unable to agree. The parties reserve their rights to put their respective positions (to avoid doubt, the parties agree that this clause applies despite the no extra claims clause).”

1. However, these provisions have effect only in relation to a determination by the Commission of future entitlements. To the extent that Question 1 invites a conclusion about the past by asking “Whether FRV should pay or should have paid, an allowance or compensation …” it is plainly impermissible as it seeks a declaration of past rights. Similarly, to the extent that Question 2 asks whether an allowance should be paid to operational employees for their past use of a personal mobile phone, the question is also impermissible for the same reason.

QUESTIONS 3 AND 4 – NO EXTRA CLAIMS

1. Questions 3 and 4 refer to the CTE and PTA Agreements, that is, to employees other than operational firefighters. Neither agreement explicitly provides for the creation of additional or new allowances. The questions invite consideration of the payment, allowance or compensation to employees working under those agreements where the employees are or were required to use their own personal mobile phones in the course of their employment and especially for the purposes of MFA.

1. FRV argues about these questions that the claim within each is precluded by the “no extra claims” provisions of each agreement. In this regard the two agreements provide the following;

• CTE Agreement

“22 NO EXTRA CLAIMS

22.1 This Agreement is made in full and final settlement of all enterprise bargaining claims for the life of the Agreement, however part of this settlement is that some matters are identified as reserved and to be resolved during the life of the Agreement in a clause of this Agreement.

22.2 There shall be no extra claims by either party.”

• PTA Agreement

“7 NO EXTRA CLAIMS

The parties undertake that for the life of the Agreement there shall be no further claims in relation to salary increases or conditions of employment, except for those granted under the terms of the Agreement.”

1. The FRV argues;

“It has been held in the context of no extra claim clauses that a “claim” focuses upon a design of an employee or an employer to “improve upon or advance [an employer or employee’s] respective entitlements or interests”; it encompasses a “proposal made by the party to [an] Agreement to materially change the terms and conditions of employment set out in the Agreement other than in a manner already provided for by the Agreement”. The claim for a future monthly allowance of $45 for a mobile phone is not currently provided for under the PTA EA and/or the CTE EA; it is manifestly an extra claim in the requisite sense.”[45] (reference omitted)

1. The UFU argues that the dispute resolution procedures within each agreement permit the dispute’s underlying claims to be dealt with, being a dispute about any matter pertaining to the employment relationship. The UFU also puts forward that in each case, the nominal expiry date of the two agreements provides the background that further claims may be made by each party, once the renegotiation period in the relevant agreement is passed, or at the least once the nominal expiry date is reached. The nominal expiry date for each agreement was in November 2021.[46]

1. In support of its case the UFU draws upon the reasoning of the Full Bench in the United Firefighters Union of Australia v Metropolitan Fire and Emergency Services Board and Country Fire Authority, [2018] FWC 4920 (Rank Alignment Case) and the Full Court in Toyota Motor Corporation Australia Limited v Marmara (2014) 222 FCR 152 (Marmara).

1. The Full Court in Marmara accepted that it would not be a contravention of the no extra claims commitments given in the relevant enterprise agreement, for claims to be agitated in the three month period prior to the nominal expiry date, as the agreement itself allowed for negotiations for a new agreement to be commenced within that time-frame prior to the expiry of the current agreement. It also held that the term did not preclude a request by the employer to employees to vary the agreement in the manner set out in the FW Act.[47]

1. The Rank Alignment Case reflected this reasoning in the first instance decision

[72] The construction which should be accorded to those words is that the parties to the Agreement bargained for and achieved an arrangement which meant they would not make “extra claims” of each other for at least the duration of the Agreement to the nominal expiry date less six months, as well as for such matters as they may, in their own discretion, choose to be the subject of bargaining for a variation to the Agreement. Such construction is consistent with and keeps open the proposition in Marmara that the clause not act as a provision for either party to contravene the Agreement by making further claims before the nominal expiry date or seeking renewal or variation of the Agreement. The no extra claims requirement does not extend to the pre-nominal expiry date negotiation period, and there is no embargo on raising proposals to vary the agreement itself within the relevant period.[48] (reference omitted)

1. While the decision in the Rank Alignment Case was appealed and quashed in part, the UFU submits in these proceedings that “the Full Bench did not disturb this finding with respect to the operation of the “no extra claims” provisions. Rather, the Full Bench concluded that the Commission did have the power to arbitrate the Rank Alignment Question and the Relativities Question, notwithstanding the operation of “no extra claims” provisions”.[49] With reference to one of the enterprise agreements before the Commission in the Rank Alignment Case, the Full Bench found extra claims could be made once the nominal expiry date of the agreement had passed.[50]

1. In its conclusion on the subject of the “no extra claims” provisions, the UFU submitted that, in the alternative, if it could be found that the union’s claim for an allowance or compensation was an “extra claim”, then FRV’s requirement that employees use their personal mobile phone for the purposes of employment related multifactor authentication must also be found to be an extra claim.[51]

1. It follows from the reasoning in Marmara and more pertinently, the appeals in the Rank Alignment Case, there is no impediment to consideration of Questions 3 and 4 for reason of the no extra claims provisions in the respective agreements. Notwithstanding references in each of the CTE and PTA Agreements to undertakings being made for “the life of the agreement”, such are to be taken as meaning a restriction on claims until the period referred to in each Agreement for their renegotiation.[52] However, for the reasons set out above in relation to Questions 1 and 2, to the extent that Questions 3 and 4 ask whether there is an entitlement for an allowance for employees who “were required to use their own personal mobile phone”, that is, for an allowance to be paid for past events, the questions are impermissible.

CONSULTATION – RELEVANT TO QUESTIONS 5 AND 6 AND GENERALLY

1. The UFU puts forward in broad terms that there has been insufficient consultation with employees for the purposes of each enterprise agreement. Consideration of the contention requires taking into account events both before and after the December 2022 cyber-attack.

Prior to October 2021(a)    

1. Before October 2021 there had been a version of MFA introduced to access Citrix Remote Desktop. Mr Reilly’s recollection is that this followed an audit finding that an 8-character password was insufficient for security. The proposal made to the consultative committees was that MFA should be introduced users accessing FRV systems from outside the FRV network.[53]

1. Mr Moon’s evidence in this respect is that the 2021 MFA deployment was in respect of users who needed to access the FRV environment remotely and required those users to use the Google Authenticator app. He draws a distinction between those users requiring remote access and those who accessed systems from within FRV’s network, noting that “most FRV staff accessed the FRV network when in a physical environment operated by FRV (like an office space or a station) or used an FRV laptop that was directly connected to the FRV network using a specially configured SIM card or dongle”.[54]

October 2021(b)    

1. There are two FRV consultative committees relevant to this decision, both of which have been in existence for some time, before and after the cyber-attack. The two committees are the Operational Consultative Committee, referable to consultation with employees working under the Operational Agreement and the Corporate Consultative Committee, referable to consultation with employees working under the CTE and PTA Agreements.

1. Mr Hamilton who gave evidence in these proceedings and is both an FRV Commander as well as UFU Victorian Branch President, is a member of the Operational Consultative Committee. Ms Ganal, who is a Project Manager, Operational Communications with FRV, is a member of the Corporate Consultative Committee. As referred to above, the Operational Consultative Committee operates on the basis of consensus, whereas the Corporate Consultative Committee does not have that obligation.

1. A briefing paper entitled “Secure User Access to IT Systems – Implementing Multi factor Authentication (MFA)” was taken to each consultative committee during October 2021.  In each case the papers briefed the committees of the following (so far as is relevant); [55]

“EXECUTIVE SUMMARY

• There is an urgent need to increase the security on access to systems from external devices / networks in order to protect FRV systems, network and user data. The risk exposure only impacts users accessing the FRV network from personal devices not issued by FRV.

• The implementation of Multi Factor Authentication (MFA) will significantly reduce the risk of FRV systems being compromised by external malicious parties. MFA provides additional controls and secure access to the ICT system with user name, password and a third factor (one-time password received via SMS notification or via a mobile authenticator application or dynamic number generated from a physical token). The user has an option to select preferred methods at the initial registration.

• The implementation of Phish Alert Button (PAB) in Outlook email will also enable users to securely and efficiently notify the IT Service Desk of any email they feel may be suspicious.”

“Purpose

1. To remediate a significant risk exposure to FRV systems, network and user data originating from external cyber-attacks which exploit vulnerabilities through the FRV email system. Specifically:

a. To seek support to implement secure authentication to FRV ICT systems. This would be applied to those accessing from outside FRV network and remediate the risk exposure of systems being compromised by external malicious parties. The risk exposure only impacts users accessing the FRV network from personal devices. Those using an FRV issued device will not be impacted.”

“Background

…

6. The FRV systems currently allow use of a weak password, such as 8 digits’ simple password (alpha numeric).  This password protocol does not comply with the Emergency Services Sector Password Standards (14 Character complex passphrase standard) and Australian Signal Director Essential Eight requirements of implementing Multi Factor Authentication for ICT system access.

7. The current weak password policy (8 digits) implemented in the FRV ICT systems without MFA does expose systems to vulnerability that can be used by external malicious actors to compromise user credentials.

a) In July, ICS team has identified 56 risky sign-in alerts and 2 users’ that had their password compromised and used to send further spam and phishing emails to other users, including outside FRV. In Aug and Sep, 5 users accounts have been compromised and successfully login from outside Australia locations. The result is that an external actor would now understand that FRV is using an eight-digit simple password, and this could be shared more broadly, thus significantly increasing the risk that FRV will be subjected to further broad phishing attacks and other forms of attack such as “Brute Force” attacks to compromise authentication etc.”

“Employee Implications

17. The user experience will remain the same with respect to email and other systems if the user is using the FRV provided laptop or mobile phone where the data connectivity is provided by FRV (using FRV provided mobile data SIM, or dongle with mobile data connectivity).

18. If the user is accessing remotely connecting to home broadband (internet) connection to access FRV ICS system or using personal mobile device to access FRV ICT systems (such as FRV emails, SharePoint, OneDrive and MS team applications etc.) they will be required to provide passcode received via SMS notification. The process is similar to the process used by personal banking apps and is therefore familiar to most users. This will only impact users accessing the FRV network from personal devices and the total impacted users are expected to be limited. For an expected small number of users who may not have access to a mobile phone, ICS is investigating the provision of a token which can generate the one-time code in place of text message.”

“Recommendations

In accordance with the Consultative Clause 16 and Clause 21 of the FRV Operational Employees Interim Enterprise Agreement 2020, 

a) Note the current risk exposure for FRV systems due to external cyber-attack using Phishing emails.

b) Note “High Risk” exposure is limited to users accessing the FRV systems from personal devices.

c) Endorse the implementation of Multi Factor Authentication (MFA) when a user is accessing the FRV systems from outside the FRV network. 

d) Endorse the implementation of the Phishing Alert Button (PAB) in Outlook email for all FRV users to securely and efficiently report suspicious emails to IT Service Desk.”

1. The minutes of the respective consultative committees record the following decisions in relation to the matters within the briefing papers and the discussion which took place in the committees.

(i)     Operations Consultative Committee

“13/10/2021 - PAPER RECEIVED -Roshan Daluwakgoda

Dallas Reilly: FRV does not have the desire to implement both 14 character password and MFA, but a risk assessment will be undertaken and if we find that we need to implement both then we will bring that back to CC.

UFU: Agree to endorse the recommendation of the proposal with the noting the following; the UFU want insurance and clarity that the 14 character password issue will be resolved. UFU would request a further report back (in the next 3-6 months) on the introduction of the e-token provision for the employees who do not have access to a smart phone. UFU note the requirement to take to the issue to the Corporate CC.

FRV: Accepts the UFU requests and proposals”[56] (underlining added)

(ii)     Corporate Consultative Committee

“Implementing MFA for Remote Access to FRV ICT Systems

Roshan Daluwakgoda

PAPER RECEIVED

Roshan provided the committee with an overview of the paper. Confirming the purpose of the paper.

1. MFA for users accessing FRV systems from personal devices.

VP noted that this group who access via personal device may group as MSS is being used.

2. Implementing Phishing Alert Button.

BG when is this being turned on? RD confirmed a communication will be provided on how to utilise the button, with the it to be rolled out immediately.

The UFU note the importance of the paper and the significance of the risk. The industrial issue is whether the MFA is an ‘opt in’ and ‘opt out’ facility. DR confirmed not ‘opt in’ on personal devises, it is required on personal device.

A meeting to discuss framework to be held in the coming week.

It was discussed that the Information Security Management Framework (ISMF) is the overarching framework for information security management to meet the VPDSS requirements, the technical implementation of MFA highlighted in this paper is focused on risk remediation and independent to the framework document. (RD)

RD advised a draft communication is attached to the proposal and would meet with BG to refine and agree release. BG noted the need to keep it simple KIS.”[57] (underlining added)

1. Mr Hamilton’s evidence is that the proposition before the Operational Consultative Committee was limited to a requirement to use MFA when accessing FRV systems remotely.  He held other concerns about passwords and the use of tokens;

“I had concerns about members being required to have a 14-character password. I was also concerned that members would be required to have and use a personal mobile phone to provide MFA. Finally, I was concerned about how e-tokens would work to provide MFA. For these reasons I said that the UFU requested a further report back in the next 3 – 6 months. That report back would provide an opportunity to assess how things were going and what needed to happen.”[58]

1. Mr Hamilton does not recall a report-back about these matters.[59]

1. Ms Ganal notes that she chaired the Corporate Consultative Committee meeting in question and says about the minutes that her recollection is that the proposal was “not approved” by the committee;

“The minutes to that meeting do not record any approval or agreement by the UFU of the recommendation to endorse the implementation of MFA when a user is accessing the FRV systems from outside the FRV network. That accords with my recollection that the recommendation was not approved by the Corporate CC.”[60]

1. Following the committee meetings, FRV announced to employees that it would be upgrading its Citrix environment including by “Implementing Microsoft Multi Factor Authentication (MFA) to replace the current Personal Identification Number (PIN) and Google Authenticator combination”.[61]

1. There is a debate between the parties as to what was concluded by the consultative committees. Mr Ward says that he understand the proposal was “limited to remote IT access and steps would be put in place to ensure employees would not be required to use personal mobile phones to provide MFA in the future. My understanding was that they would either get an FRV phones or a token”.[62] Ms Ganal, who chaired the Corporate Consultative Committee recalls that the recommendation was not approved.[63] FRV instead advocates that the minutes provided to the Commission support the account given by Mr Reilly;

“15. I said during one or both meetings that the use of MFA would mean it would be unnecessary to use a 14-character password and MFA would be less burden and simpler for members to use. I used the analogy of being similar to the process that people use to access banking apps on their mobile devices today. I said this because some of the members of the two Committees expressed a concern about the transition from simple 8-character passwords. This is reflected in what is recorded in the extract of the minutes for the Operational Consultative Committee at (p 4), where I am identified as having said that we need to do a risk assessment and if we find we need to implement “both” (i.e. both MFA and 14- character passwords) then that specific issue would be brought back to the Committee. I also understood that a report back to that Committee within 3-6 months was only about the need for any practical adjustments arising from the member use of MFA and recommendations that were sought to be endorsed, and it was not for the purpose of reviewing the recommendations again. I understood this because I clarified this understanding at the meeting.

16. I do not recall the issue of the cost of personal mobile phones (that is the cost of running a mobile phone to use MFA) being a matter that was discussed during the meetings. I do recall that the issue of physical tokens was raised during the meeting as an alternative way that people who may not have a mobile phone to use MFA. Tokens were offered to members as part of the solution by individual request.”[64]

After December 2022(c)

1. The steps taken to remediate the FRV IT systems after the December 2022 cyber-attack are summarised above. In that period there was no formal consultation with employees on the deployment of MFA across FRV. The disputes that form the basis of the applications before me were first raised with FRV by the UFU on 11 August 2023. On 15 August 2023, Mr Moon “clarified FRV’s MFA policy”, stating that MFA was to be used “as a layer of security to access FRV content and systems such as the Intranet, FRV email and Microsoft Teams”.

Conclusions on consultation(d)    

1. Question 5 as drafted starts from the proposition that employees were required to use their personal mobile phones in the course of their employment, when it is an open question as to whether there was any such requirement. Employees may have used their persona mobile phones, doing so to varying degrees of willingness, however the evidence does not allow a finding employees were required to do so for MFA purposes.  On that basis the question cannot be answered simply yes or no.

1. The better question is whether FRV failed to consult with employees about the general introduction of MFA for all network access.

1. In the case of the Operational Agreement, it is likely that consultation about the 2021 introduction of MFA for external users was “a matter or change about which consultation was required”. Despite its length, clause 16 is not especially definitive about what such a “matter or change” may be. At its widest, any matter pertaining to the employment relationship requires consultation and arguably the MFA change is within that category.

1. In the case of the CTE and PTA agreements, it is unlikely that consultation was required, as the introduction of MFA was likely not a change likely to have a significant effect on employees. While it is obvious the change has an effect of some kind on employees, the significance of the change is low in the case of the CTE agreement and does not fit any element of the definition of “significant effects” set out in the relevant clause of the PTA agreement.

1. Even so, and irrespective of whether FRV was obliged to consult in 2021 about the introduction of MFA for external users, it did so anyway in that year at least, but did not do so in 2023 after the cyber-attack.

1. The results of that consultation are clear: in the case of both committees, the proposal was limited to the use of MFA for external users and the proposal was authorised by the respective committees.

1. In the case of the Operations Consultative Committee, authorisation was given, but with an instruction that a report back be given to the committee in 3-6 months. The report back, which never occurred, was intended to address the problem of “the introduction of the e-token provision for the employees who do not have access to a smart phone”. I take this conclusion to be a request that the issue which remained was a desire on the part of the committee to understand the numbers of people who may not have access to a smart phone or otherwise required the issue of a token, and then the experience of those people in accessing the network over those 3-6 months which followed the consultative meeting. Plainly, the generality of the introduction of MFA for external users was approved. However, the approval was plainly limited to that which was identified to the committee in the briefing paper, namely “If the user is accessing remotely connecting to home broadband (internet) connection to access FRV ICS system or using personal mobile device to access FRV ICT systems (such as FRV emails, SharePoint, OneDrive and MS team applications etc.) they will be required to provide passcode received via SMS notification”. No part of that proposal would suggest a broader proposition that any and all access to the FRV network would require MFA.

1. In the case of the Corporate Consultative Committee, it is also plain that approval was given to the proposal taken to the committee, with the minutes recording some of the issues associated with the introduction of MFA but ultimately authorising a communication that could be distributed to affected employees. The minutes do not record anything which would suggest the communications should not proceed and there plainly would be no point in circulating the communication if its subject matter had not been approved.

1. Demonstrably, there was no consultation with employees or the consultative committees after the December 2022 cyber-attack and the changes which later occurred in relation to the wider use of MFA authentication.

1. Save for one matter, it may be said that there was no need for consultation with either consultative committee about the introduction of general MFA for the same reasons set out above in respect of the October 2021 consultation periods. That is, the introduction of general MFA is at the lower end of the change scale and is, of itself unlikely to have significant effects on employees. However, the balance in this regard is tipped by the fact that large swathes of employees would need to generate authentication codes by some means other than an FRV issued mobile phone and to do so from wherever they were accessing the network. That fact leads to a conclusion that there should have been consultation on the introduction of the change.

1. In saying this though, three matters must be borne in mind;

1. There is no clear identifiable decision point at which it may be said that FRV decided to require MFA authentication on a general basis.

1. The IT systems design issue referred to by Mr Moon explains to a degree why there may have been an omission on the part of FRV to formally consult about general MFA authentication. In this regard, Mr Moon explained to the Commission that following the cyber-attack the network was reconfigured so that all users are effectively treated as external users irrespective of their working location. This matter of system design at least explains why the organisation’s IT staff may well have taken the view that they were not actually implementing a change.

1. The impact of MFA changes on employees pale into insignificance against the catastrophic effects of the cyber-attack on FRV.

1. These matters at least explain the circumstance in which all concerned found themselves in 2023 and beyond.

1. In finality, in relation to Question 5, it may found on the subject of consultation that FRV did not consult with employees or either consultative committees about the introduction of general MFA authentication following the December 2022 cyber-attack. This conclusion extends to each part of the question, dealing with each of the enterprise agreements before me.

1. Question 6 deals with the consequence of an affirmative finding to Question 5, and in particular whether employees “have suffered any imposition, detriment or disadvantage and should receive and compensatory payment in consequence thereof”. For the same reasoning as set out above in relation to each of Questions 1 – 4, to the extent that Question 6 invites findings about past disability, the question is impermissible. I will proceed on the basis that instead the question asks whether employees “are suffering any imposition, detriment or disadvantage …” instead of it asking whether they “have suffered”.

1. Five FRV employees gave evidence in these proceedings about the impact of FRV’s decisions upon them;

• Maria Abrahams

oMs Abrahams is an Acting Training Service Delivery Lead at level V of the CTE agreement. She performs most of her day-to-day work at the FRV Academy at Craigieburn but also on occasion works at the FRV Burnley complex.[65]

oAfter MFA was introduced, she used her personal mobile phone for authentication, being responsible for paying the bill for connection, data and calls. The FRV has not issued her with a mobile phone.[66]

oShe no longer uses the Microsoft Authenticator application, finding it to be problematic. The process of MFA takes about a minute on each occasion. Generally, authentication allows her to access the FRV IT systems for about 24 hours, however on some days she is prompted to provide authentication on multiple occasions.[67]

oShe would prefer not to use her personal mobile phone for work purposes, desiring to keep separate her work and personal life. She stores things on her mobile phone that she does not want to have hacked.[68]

oUsing an office based landline for multifactor authentication is not feasible, as she sometimes needs to access the FRV IT network away from her office.[69]

oAt the time of the hearing, she had not been provided with or offered a token for multifactor authentication purposes. She is not aware of any tokens having been received by staff at the FRV Academy and believes that, given the position she works in, she would have been aware had any been delivered.[70]

oShe considers that presently she has no choice but to use her mobile phone to provide multifactor authentication.[71]

• Danny Ward

oMr Ward is an Acting Station Officer presently engaged in a project day role with the PFAS Project Department.[72]

oHe is regularly required to use an FRV issued iPad in order to access the FRV network. He mainly works at the Lilydale PFAS department and sometimes at other locations.[73]

oHis iPad was issued to him sometime between June and August 2022. Prior to December 2022, he did not have to provide multifactor authentication to log into the FRV iPad.[74]

oLogging onto the FRV system now requires obtaining an MFA code through his iPad. The process usually takes a few minutes and sometimes does not work the first time and can be cumbersome. Logging in must be done at the start of every day, but he is also sometimes locked out during the day needs to repeat the process, particularly if he changes location.[75]

oHe does not use the Microsoft Authenticator app and he believes the options available to him are to either make a call to a phone number or to be sent a text message to his mobile phone. Using a landline would not be an option for him, as he does not have one.[76]

oHe has not been issued with a token by FRV and believes no employees in the team in which he works have been provided with a token either.[77]

• James Kerwin

oMr Kerwin is a Leading Firefighter and part of his job requires accessing certain FRV systems, including intranet rostering systems, Microsoft Teams and Microsoft Outlook. He uses an FRV computer on a station network, accessing it on average three times per shift.[78]

oHe does not have an FRV supplied mobile phone, he uses his personal mobile, which he pays for through a regular service plan. He does not have his personal mobile phone connected to the station Wi-Fi due to privacy and security concerns.[79]

oHe did not use the Microsoft Authenticator app prior to the December 2022 cyber incident however, following the incident, he downloaded the app in early 2023.[80]

oHe uses the Microsoft Authenticator app on his personal mobile phone in order to access the FRV systems he is required to use.[81]

oThe fire station at which he works only has two FRV computers, one of which is dedicated solely to the senior officer, with the second being available to the three operational firefighters on each shift.[82]

oHis experience is that, not only does he need to authenticate each time he logs in, Microsoft Edge also requires authentication each time he opens the application. Authentication can take up to 2 minutes each time he wants to access the intranet or the Microsoft Outlook suite.[83]

oIf he did not use his own mobile phone for authentication, he would be unable to access the intranet.[84]

oHe was issued with a token on 23 February 2024, however, at the time of the hearing had not received instruction or training on how to use it.[85]

oHe says that he is required to have and pay for a smart phone and a mobile phone plan with sufficient data available to use the Microsoft Authenticator app.[86]

• David Hamilton

oMr Hamilton is an FRV Commander and Victorian Branch President of the UFU. He presently works in a project a work role as the PFAS Project Team Commander.[87]

oHe has been issued by FRV with a mobile phone and an iPad.[88]

oHe has not yet been provided with a token for MFA purposes.[89]

• Belinda Ganal

oMs Ganal is a Project Manager, Operational Communications, based at the FRV complex at Burnley, although she also works at different FRV locations or from home at times. She uses a range of different FRV IT systems, accessing them through an FRV laptop.[90]

oShe has an FRV issued iPhone but uses both her FRV phone and her personal mobile phone.[91]

oAlthough she has an FRV issued iPhone, she has downloaded the Microsoft Authenticator app to her personal android device because she had issues downloading the same app on her iPhone.[92]

oThe use of MFA is cumbersome and repetitive; she needs to login at the start of each day and then repeat the process 3 to 4 times per day whenever she is locked out of the system. The authentication process can take a few minutes each time.[93]

oShe is yet to be offered or provided with a MFA token.[94]

1. None of the evidence shows employees, at the time of the hearing, were required to use their own personal mobile phone or other devices for the purposes of multifactor authentication. There is obviously no dispute that Ms Abrahams, Mr Kerwin and Ms Ganal are using their personal mobile phone for MFA. There is also no dispute that both Mr Ward and Mr Hamilton have been issued with FRV devices that allow MFA.

1. In the case of Ms Ganal, she has been issued with an FRV mobile phone which she then chooses to not use for the purposes of MFA. At the time of the hearing, she had not been issued with a token for MFA purposes.

1. Ms Abrahams has not been issued with an FRV phone or MFA token. Mr Kerwin has not been issued with an FRV phone, however has received a token.

1. Either because of personal preference or because of what is now the widespread availability of MFA tokens, a finding is not available to me that employees are presently suffering “any imposition, detriment or disadvantage”, being the language of Question 6.

1. Whereas it could be said that at some stage in the past the practicality of the circumstance might have been that any particular employee needed to use their personal mobile phone in order to undertake MFA authentication, that need is no longer the case. The evidence is that, by March 2024, FRV had approximately 5000 physical tokens, of which approximately 3650 had been distributed to staff. A further 1000 had been allocated but not distributed.

1. In fairness though, the evidence is incomplete as to the final destination of all 5000 physical tokens. It would appear that there are blockages somewhere in the distribution chain that would cause individuals not to have yet been personally provided with their token.

1. However, that situation does not change the fact that more than enough tokens are available throughout FRV and so, to the extent that any person wants FRV to provide them with the tools to authenticate, a token is available for such purpose. Because of that, I am unable to find that FRV employees are suffering “any imposition, detriment or disadvantage” over the requirement for multi-factor authentication.

CONCLUSION

1. The evidence generally allows these findings;

1. The October 2021 consultative committee meetings authorised implementation of MFA for external Citrix based access. While I note both the UFU’s contentions that not even that was approved and FRV’s contentions that the committees agreed to implement MFA for both external as well as internal access, neither is consistent with the objective facts.

1. The IT and operational environments after the cyber-attack in December 2022 were likely chaotic and featured a “do whatever it takes to make sure it doesn’t happen again” mentality.

1. The evidence does not identify a single conscious point of decision, either in time or of a person to mandate MFA for internal as well as external users, although Mr Moon’s evidence gives some clues as to his decision-making when he says “the FRV ICT systems now effectively operate as though all persons are externally accessing those systems as though they are outside the FRV network and therefore need to use MFA”, i.e. everyone who accesses FRV ICT systems is treated as though they are a remote user, regardless of whether they are, in fact, physically working remotely or on FRV premises.[95]

1. The decision to implement MFA was imperfect, with the pathways for authentication not especially well-built at the time of the August 2023 email to employees from Mr Moon. The August 2023 email does not require employees to use to use their mobile phones for the MFA purposes, but offers that as a solution, against the knowledge that 1500 of its 4500 employees (roughly 1/3) had an FRV issued mobile phone. Offering tokens, with 16 of those on hand and 500 on backorder, FRV in August 2023 did not expect the use of tokens to be especially widespread.

1. FRV did not perceive an industrial element to the MFA change of practice until the UFU raised it as a dispute.

1. The evidence supports that alternative methods to the use of personal mobile were available for many employees, if not for all;

   ·some, but not all, employees could use a landline phone; and

·1500 employees issued with an FRV mobile phone had no need to use their personal mobile phone (if they had one).

1. FRV now has sufficient tokens for every staff member who needs one.

1. Ultimately, the dispute now before me is that an allowance is justified either because employees are required to use their personal mobile phone in the course of their employment (Questions 1, 2, 3 and 4) or that, as a consequence, employees have suffered imposition, detriment or disadvantage (Question 6).

1. Against this is first the evidence that 3 of the 5 witnesses who are FRV employees have been issued with FRV mobile phones; second that a fourth had been issued with a token; and third that FRV now have sufficient tokens in place to address the needs of the sixth person.

1. There is no evidence that any of the 2 employees who did not have an FRV issued phone either had to buy a phone in order to use MFA or to upgrade their data plan or pay for additional data in order to meet the requirement for authentication.

1. Taking into account all these matters, I am unable to find employees are required to use their personal mobile phones in the course of their employment. While employees may use their phones in this way, it is not required. Accordingly, there is no justification to answer in the affirmative those parts of the questions for determination which would seek the creation or payment of an allowance or compensatory payment.

1. For the reasons set out above, I answer the Questions for Determination in the following way;

Question 1:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria Operational Employees Interim Enterprise Agreement 2020 (Operational Agreement) applies, where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Answer:(a) Not answered to the extent the question invites consideration of whether the FRV should have paid an allowance of compensation because employees were required to use their own personal mobile phone device in the course of their employment.

(b) Otherwise – No.

Question 2:

In the alternative to question 1, whether FRV should pay an allowance to employees to whom the Operational Agreement applies where such employees are or were required to use their own personal mobile phone device in the course of their employment in accordance with:

a.        Clause 85.3 to Division A to the Operational Agreement; and

b.        Clause 92.3 to Division B to the Operational Agreement.

Answer:(a) Not answered to the extent the question invites consideration of whether employees were required to use their own personal mobile phone device in the course of their employment in accordance.

(b) Otherwise – No.

Question 3:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria (Former MFB) Corporate and Technical Employees Agreement 2017 (Former MFB Corporate Agreement) applies where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Answer:(a) Not answered to the extent the question invites consideration of whether the FRV should have paid an allowance of compensation because employees were required to use their own personal mobile phone device in the course of their employment.

(b) Otherwise – No.

Question 4:

Whether FRV should pay, or should have paid, an allowance or compensation to employees to whom the Fire Rescue Victoria Former CFA Professional, Technical and Administrative Employees Agreement 2016 (Former CFA Corporate Agreement) applies where such employees are or were required to use their own personal mobile phone device in the course of their employment.

Answer:(a) Not answered to the extent the question invites consideration of whether the FRV should have paid an allowance of compensation because employees were required to use their own personal mobile phone device in the course of their employment in accordance.

(b) Otherwise – No.

Question 5:

Whether FRV has failed to consult with employees regarding the requirement to use personal mobile phone devices in the course of their employment as required by:

a.clause 16 17, 20 and 76 of Division A of the Operational Agreement;

b.clause 21, 22, 25 and 83 of Division B of the Operational Agreement;

c.clause 11 and 12 of the Former MFB Corporate Agreement; and/or

d.        clause 11 of the Former CFA Corporate Agreement.

Answer:FRV failed to consult with employees and the two consultative committees about the introduction of multi-factor authentication for all access to its IT systems.

Question 6:

If the answer to any part of question 5 is yes, whether as a result, the employees affected by the failure to consult have suffered any imposition, detriment or disadvantage and should receive and (sic) compensatory payment in consequence thereof.

Answer:(a) Not answered to the extent the question invites consideration of whether employees have suffered imposition, detriment or disadvantage in the context of that being a reference to past disability.

(b) Otherwise – No.

1. The dispute is determined accordingly.

COMMISSIONER

Appearances:

Mr J McKenna of Council, for the UFU.
Mr M Felman KC, for the FRV.

Hearing details:

20 and 22 May.
2024.

[1] FRV Outline of Submissions, [4] – [5]; Digital Hearing Book, p.409.

[2] Moon WS; DHB, pp.209 – 210.

[3] Witness Statement of Chris Moon, [40] – [45], Attachment CM – 17; Digital Hearing Book, pp.209 and 396.

[4] Moon WS, [46]; DHB, p.209.

[5] Moon WS, Attachment CM – 13; DHB, p.359.

[6] UFU Outline of Submissions, [20]; Digital Hearing Book, p.41.

[7] Ibid, p.42.

[8] Witness Statement of Belinda Jay Ganal, [40] – [42]; Digital Hearing Book, p.98.

[9] Witness Statement of David William Hamilton, [14]; Digital Hearing Book, p.79.

[10] Moon WS, [65]; DHB, p.213.

[11] Ibid.

[12] UFU Outline of Submissions, [24]; DHB, p.42.

[13] CTE Agreement Dispute Notification (Form F10), item 2.1; Digital Hearing Book, p.20 and PTA Agreement Dispute Notification (Form F10), item 2.1; Digital Hearing Book, p.28.

[14] Moon WS, 53; DHB, p. 210.

[15] Moon WS, Attachment CM – 18; DHB, pp.397 – 398.

[16] Moon WS, [56] and Attachment DM – 19; DHB, pp.211 and 399.

[17] Moon WS, [55]; DHB, p.211.

[18] Ibid, p.212.

[19] UFU Outline of Submissions, [5]; DHB, p.37.

[20] UFU Outline of Submissions, [48] – [49]; DHB, p.48.

[21] Ibid, [51] – [52],  p.49.

[22] UFU Outline of Submissions, [68]; DHB, p.53.

[23] Ibid, [69],  p.53.

[24] Ibid, [84], p.57.

[25] Ibid, [92], p.58.

[26] Ibid, [97], p.59.

[27] Ibid, [104-5], p.61

[28] Respondent's Outline of Opening Submissions, [32]; Digital Hearing Book, p.418.

[29] Ibid, [48]. p.424.

[30] (1991) 39 IR 127.

[31] UFU Outline of Submissions; [36] – [37]; DHB, pp.45 – 46.

[32] Ibid, [38], p.46.

[33] UFU Outline of Submissions; DHB, pp.45 – 46.

[34] Ibid, [40], p.46.

[35] Ibid, [41]. p.47.

[36] Ibid, [42] – [43], p.47.

[37] Ibid, [44], p.47.

[38] Witness Statement of Maria Audrey Abrahams, [19]; Digital Hearing Book, p.[67] – [68].

[39] Respondent's Outline of Opening Submissions, [31]; DHB, p.418.

[40] Ibid, [32], p.419.

[41] Ibid, [34], p.419.

[42] Ibid, [37], pp.419 – 420.

[43] Construction, Forestry, Mining and Energy Union v BHP Billiton Nickel West Pty Ltd[2017] FWCFB 217, [20]; drawn from Re Geelong Grammar School (2002) 123 IR 216, as cited in CPSU v Tenix Solutions Pty Ltd PR940630

[44] Re Ranger Uranium Mines Pty Ltd; Ex parte Federated Miscellaneous Workers’ Union of Australia (1987) 76 ALR 36, p.43; per Mason CJ, Wilson , Brennan , Deane , Dawson , Toohey and Gaudron JJ.

[45] Respondent's Outline of Opening Submissions, [51]; DHB, p.425.

[46] UFU Outline of Submissions, [58] – [60]; DHB, p.51.

[47] Toyota Motor Corporation Australia Limited v Marmara (2014) 222 FCR 152 [63] – 64]; [94] – [97].

[48] United Firefighters Union of Australia v Metropolitan Fire and Emergency Services Board and Country Fire Authority, [2018] FWC 4920, [72].

[49] UFU Outline of Submissions, [64]; DHB, p.52

[50] United Firefighters’ Union of Australia v Metropolitan Fire and Emergency Services Board; Country Fire Authority, [2019] FWCFB 184, [45].

[51] UFU Outline of Submissions, [66]; DHB, p.53.

[52] See CTE Agreement, Clause 5; PTA Agreement, Clause 4.

[53] Reilly WS, [10] – [11]; DHB, pp.130 – 131.

[54] Moon WS, [25]; DHB, p.205.

[55] Reilly WS, Attachments DR – 1 and DR – 2; DHB, pp.134 – 140 and 163 – 169.

[56] Reilly WS, Attachment DR – 3; DHB, p.193.

[57] Reilly WS, Attachment DR – 4; DHB, p.195

[58] Hamilton WS, [11]; DHB, p.78.

[59] Ibid, [12], p.79.

[60] Ganal WS, [13]; DHB, p.95.

[61] Ganal WS, Attachment BG-2; DHB, p.102.

[62] Ward WS [10]; DHB, p.70.

[63] Ganal WS, [13]; DHB, p.95.

[64] Reilly WS; DHB, pp.131 – 132.

[65] Exhibit UFU 1, Witness Statement of Maria Abrahams, [6]

[66] Ibid, [14];

[67] Ibid, [15]

[68] Ibid, [19].

[69] Ibid, [20].

[70] Ibid, [21].

[71] Ibid, [22].

[72] Exhibit UFU3, Witness Statement of Danny Ward, [1].

[73] Ibid, [6].

[74] Ibid, [13].

[75] Ibid, [14] – [17].

[76] Ibid, [18] – [19].

[77] Ibid, [20].

[78] Exhibit UFU 5, Witness Statement of James Kerwin, [1] – [9].

[79] Ibid, [10] – [11].

[80] Ibid, [12] – [13].

[81] Ibid, [14].

[82] Ibid, [15].

[83] Ibid, [19] – [21].

[84] Ibid, [22].

[85] Ibid, [25]

[86] Ibid, [26].

[87] Exhibit UFU 2, Witness Statement of David Hamilton, [3] – [4].

[88] Transcript, PN 362.

[89] Exhibit UFU 2, Witness Statement of David Hamilton, [17]

[90] Exhibit UFU 4, Witness Statement of Belinda Gale, [1] – [8].

[91] Ibid, [9].

[92] Ibid, [38].

[93] Ibid, [39] – [42].

[94] Ibid, [37].

[95] Moon WS, [52]; DHB, p.210.

Printed by authority of the Commonwealth Government Printer

<PR778419>